Date: Fri, 1 Aug 2025 15:55:36 +0300 From: Vadim Goncharov <vadimnuclight@gmail.com> To: Jason Bacon <bacon4000@gmail.com> Cc: freebsd-hackers <hackers@freebsd.org> Subject: Re: Non-root chroot Message-ID: <20250801155536.5aceeba0@nuclight.lan> In-Reply-To: <aa1950e6-46d0-44ed-8487-df45bad8b3c8@gmail.com> References: <aa1950e6-46d0-44ed-8487-df45bad8b3c8@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 1 Aug 2025 07:19:36 -0500 Jason Bacon <bacon4000@gmail.com> wrote: > I'm wondering if there is any way to perform a simple chroot without > having root privileges. The goal is to test software builds with access > to a limited set of dependencies, as poudriere does, but outside the > FreeBSD ports system, and in some cases on hosts where the user has no > root access. This will prevent configure scripts with hard-coded search > paths from finding things we don't want them to find. Portability to > other POSIX platforms would be desirable as well, but is not essential. > > It's not clear to me why chroot() wasn't designed to support this use > case. There's lots of documentation stating that it's a security risk, > but I don't see why it couldn't have been designed to be run by a > regular user without escalating privileges inside the chroot. I.e. if > user "joe" does such a user-level chroot call, then all chrooted > processes run as "joe", but with the path of the chroot dir prepended to > every open() call (after $CWD is prepended to relative paths, of > course), so that processes can only access files in the chroot dir. > User "joe" would have the same privileges inside the chroot that he has > on the host. One of the other security concerns mentioned is jail > breaks, but if joe managed to escape the chroot, he'd only be hurting > himself by borking the test build, so that's not a concern here. > > It might be possible to port fakechroot > (https://github.com/dex4er/fakechroot), proot > (https://github.com/proot-me/proot), or something similar, but is there > anything else on FreeBSD that can do this? What you want is called jail(8) and it was designed quarter of century ago exactly to overcome chroot() problems: https://papers.freebsd.org/2000/phk-jails/ (because one cannot just fix chroot) Nowadays, there are many jail wrappers so your task of same user unpriviliged user inside is highly likely solved already. -- WBR, @nuclight
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20250801155536.5aceeba0>